InfoSec News Nuggets – October 1, 2018

Facebook, already facing scrutiny over how it
handles the private information of its users, said on Friday that an attack on
its computer network had exposed the personal information of nearly 50 million
users. The breach, which was discovered this week, was the largest in the
company’s 14-year history. The attackers exploited a feature in Facebook’s code
to gain access to user accounts and potentially take control of them. Three
software flaws in Facebook’s systems allowed hackers to break into user
accounts, including those of the top executives Mark Zuckerberg and Sheryl
Sandberg, according to two people familiar with the investigation but not
allowed to discuss it publicly. Once in, the attackers could have gained access
to apps like Spotify, Instagram and hundreds of others that give users a way to
log into their systems through Facebook.

Hackers probing America’s electronic voting
systems have painted an astonishing picture of the state of US election
security, less than six weeks before the November midterms. The full 50-page
report [PDF], released Thursday during a presentation in Washington DC, was put
together by the organizers of the DEF CON hacking conference’s Voting Village.
It recaps the findings of that village, during which attendees uncovered ways
resourceful miscreants could compromise electoral computer systems and change
vote tallies. In short, the dossier outlines shortcomings in the electronic
voting systems many US districts will use later this year for the midterm
elections. The report focuses on vulnerabilities exploitable by scumbags with
physical access to the hardware.

The FBI and the US Department of Homeland
Security have added their voices to warnings of insecure deployments of Remote
Desktop Protocol (RDP) services. Of the RDP-spread ransomware infections the
FBI’s advisory highlighted on Thursday, probably the one striking the most fear
into sysadmin hearts was SamSam, a campaign that started in 2015 and has since
then earned its operators an estimated US$5.9m in illicit gains. The FBI/DHS
public service announcement reiterates what sysadmins (and home users) should
know, but all too often aren’t acting on. Whether business or home, the
statement said, you should “review and understand what remote accesses their
networks allow and take steps to reduce the likelihood of compromise, which may
include disabling RDP if it is not needed.”

The U.S. Secret Service is warning financial
institutions about a recent uptick in a form of ATM skimming that involves
cutting cupcake-sized holes in a cash machine and then using a combination of
magnets and medical devices to siphon customer account data directly from the
card reader inside the ATM. According to a non-public alert distributed to
banks this week and shared with KrebsOnSecurity by a financial industry source,
the Secret Service has received multiple reports about a complex form of
skimming that often takes thieves days to implement. This type of attack,
sometimes called ATM “wiretapping” or “eavesdropping,” starts when thieves use
a drill to make a relatively large hole in the front of a cash machine. The
hole is then concealed by a metal faceplate, or perhaps a decal featuring the
bank’s logo or boilerplate instructions on how to use the ATM.

Secretary of Defense Jim Mattis predicted the
U.S. government will one day offer cyber protection to businesses that work
with critical infrastructure and may even extend such a buffer to some
individuals. The top Pentagon official said during a Sept 25. speech at the
Virginia Military Institute that he envisions a voluntary program that would be
spurred by the rapid change in technology. “Because the Department of Defense
has about 95 percent more of the capability to protect the country on cyber, we
are probably going to have to offer to banks, to public utilities, (to)
electrical generation plants and that sort of thing, the opportunity to be
inside a government protected domain,” Mattis said. “It’s not going to be
forced and there are constitutional issues, but I think we should also offer it
to small businesses and individuals.”

Wednesday was a busy day for the Federal
Communications Commission (FCC) when it comes to putting some pecuniary hurt on
marketing companies for illegally spoofing millions of calls. One of the fines
– a proposed one – was a first for the Commission, in that it’s the first major
enforcement action against a company that apparently “commandeered consumers’
phone numbers,” the FCC said in its announcement. The FCC is looking to
penalize Affordable Enterprises of Arizona for more than $37.5 million for what
it says are more than 2.3 million illegally spoofed robocalls that pretended to
be from consumers’ phone numbers. Affordable Enterprises was at it for 14 months,
starting in 2016. Its shtick was to sic its robots on unsuspecting people in
order to telemarket home improvement and remodeling services.

Almost eight years after the Identity Theft Red
Flags rule went into effect, the SEC announced its first enforcement of the
law. The Des Moines, Iowa-based broker-dealer and investment advisor Voya
Financial Advisors will pay $1 million to settle charges that it failed to
adopt procedures that protected customer records and address weaknesses in its
cybersecurity policy after cyber intruders gained access to the personal
information of several thousand customers.